Based on the results of two-month investigationconducted by experts from Cisco Duo Security, more than 500 malicious extensions were removed from the Chrome Web Store that injected ads into browsers of unsuspecting users.
The malicious code of extensions was activated only under certain conditions and redirected users to certain sites. In some cases, this could be an affiliate link to a legitimate resource (such as Macys, Dell, or BestBuy), but in other cases, the link could be malicious, for example, a phishing page or a site offering to download malware.
Researchers say these extensions were part of a larger campaign that has been active for more than two years. At the same time, it is assumed that the hack group behind this operation can be completely active from the beginning of the 2010s.
Malicious extensions were noticed during a routine search for threats: Cisco Duo Security experts drew attention to malicious sites that share a common URL pattern. Using the service for analyzing CRXcavator extensions, experts were able to identify the initial cluster of advertising extensions that were combined with an almost identical code base and used faceless names that said almost nothing about their purpose.
Having noticed these patterns, experts realized that they were dealing with a large-scale malicious campaign. So, according to Cisco Duo Security, the total number of installations of the first set of these extensions was more than 1.7 million. Now that Google itself has carried out its own investigation, it has been discovered that a total of more than 500 extensions correspond to this template.
It is unclear how many users have installed these malicious extensions, but most likely we are talking about several million victims. After banning the extensions in the official Chrome Web Store, Google engineers also deactivated them in users ’browsers, marking them“ malicious ”so that users would remove them and not reactivate them.
The identifiers of all extensions that were part of this company can be found in Cisco Duo Security Report.